0.8.78

* finalized API token access #1415
8 months ago · a51a761215
6 changed files with 64 additions and 64 deletions
--- a/src/platformio.ini
+++ b/src/platformio.ini
@ -350,7 +350,7 @@ build_flags = ${env.build_flags}
    -DDEF_LED1=17
    -DLED_ACTIVE_HIGH
    -DARDUINO_USB_MODE=1
-    #-DARDUINO_USB_CDC_ON_BOOT=1
+    -DARDUINO_USB_CDC_ON_BOOT=1
 monitor_filters =
    esp32_exception_decoder, colorize

--- a/src/web/Protection.h
+++ b/src/web/Protection.h
@ -33,8 +33,7 @@ class Protection {
            return mInstance;
        }

-        void tickSecond() {
-            // auto logout
+        void tickSecond() { // auto logout
            if(0 != mLogoutTimeout) {
                if (0 == --mLogoutTimeout) {
                    if(mPwd[0] != '\0')
@ -77,8 +76,10 @@ class Protection {
            if(askedFromWeb)
                return !isIdentical(clientIp, mWebIp);

-             // API call
-            if(0 == mToken[0]) // token is zero, from WebUi (logged in)
+            if(nullptr == token)
+                return true;
+
+            if('*' == token[0]) // call from WebUI
                return !isIdentical(clientIp, mWebIp);

            if(isIdentical(clientIp, mApiIp))
@ -92,10 +93,9 @@ class Protection {
            mToken.fill(0);
            for(uint8_t i = 0; i < 16; i++) {
                mToken[i] = random(1, 35);
-                if(mToken[i] < 10)
-                    mToken[i] += 0x30; // convert to ascii number 1-9 (zero isn't allowed)
-                else
-                    mToken[i] += 0x37; // convert to ascii upper case character A-Z
+                // convert to ascii number 1-9 (zero isn't allowed) or upper
+                // case character A-Z
+                mToken[i] += (mToken[i] < 10) ? 0x30 : 0x37;
            }
        }

--- a/src/web/RestApi.h
+++ b/src/web/RestApi.h
@ -841,15 +841,8 @@ class RestApi {
                return true;
            }

-            if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set
-                if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT
-                    const char* token = jsonIn["token"];
-                    if(mApp->isProtected(clientIP, token, false)) {
-                        jsonOut[F("error")] = F(IS_PROTECTED);
-                        return false;
-                    }
-                }
-            }
+            if(isProtected(jsonIn, jsonOut, clientIP))
+                return false;

            Inverter<> *iv = mSys->getInverterByPos(jsonIn[F("id")]);
            bool accepted = true;
@ -894,15 +887,8 @@ class RestApi {
        }

        bool setSetup(JsonObject jsonIn, JsonObject jsonOut, const char *clientIP) {
-            if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set
-                if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT
-                    const char* token = jsonIn["token"];
-                    if(mApp->isProtected(clientIP, token, false)) {
-                        jsonOut[F("error")] = F(IS_PROTECTED);
-                        return false;
-                    }
-                }
-            }
+            if(isProtected(jsonIn, jsonOut, clientIP))
+                return false;

            #if !defined(ETHERNET)
            if(F("scan_wifi") == jsonIn[F("cmd")])
@ -951,6 +937,25 @@ class RestApi {
            return true;
        }

+        bool isProtected(JsonObject jsonIn, JsonObject jsonOut, const char *clientIP) {
+            if(mConfig->sys.adminPwd[0] != '\0') { // check if admin password is set
+                if(strncmp("*", clientIP, 1) != 0) { // no call from MqTT
+                    const char* token = nullptr;
+                    if(jsonIn.containsKey(F("token")))
+                        token = jsonIn["token"];
+
+                    if(!mApp->isProtected(clientIP, token, false))
+                        return false;
+
+                    jsonOut[F("error")] = F(IS_PROTECTED);
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
+    private:
        IApp *mApp = nullptr;
        HMSYSTEM *mSys = nullptr;
        HmRadio<> *mRadioNrf = nullptr;
--- a/src/web/html/index.html
+++ b/src/web/html/index.html
@ -41,27 +41,24 @@
            var release = null;

            function apiCb(obj) {
-                var e = document.getElementById("apiResult");
+                var e = document.getElementById("apiResult")
                if(obj.success) {
-                    e.innerHTML = " {#COMMAND_EXE}";
-                    getAjax("/api/index", parse);
-                }
-                else
-                    e.innerHTML = " {#ERROR}: " + obj.error;
+                    e.innerHTML = " {#COMMAND_EXE}"
+                    getAjax("/api/index", parse)
+                } else
+                    e.innerHTML = " {#ERROR}: " + obj.error
            }

            function setTime() {
-                var date = new Date();
-                var obj = new Object();
-                obj.cmd = "set_time";
-                obj.val = parseInt(date.getTime() / 1000);
-                getAjax("/api/setup", apiCb, "POST", JSON.stringify(obj));
+                var date = new Date()
+                var obj = {cmd: "set_time", token: "*", val: parseInt(date.getTime() / 1000)}
+                getAjax("/api/setup", apiCb, "POST", JSON.stringify(obj))
            }

            function parseGeneric(obj) {
                if(exeOnce)
-                    parseESP(obj);
-                parseRssi(obj);
+                    parseESP(obj)
+                parseRssi(obj)
            }

            function parseSys(obj) {
--- a/src/web/html/setup.html
+++ b/src/web/html/setup.html
@ -559,31 +559,26 @@
            }

            function setTime() {
-                var date = new Date();
-                var obj = new Object();
-                obj.cmd = "set_time";
-                obj.val = parseInt(date.getTime() / 1000);
-                getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj));
-                setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000);
+                var date = new Date()
+                var obj = {cmd: "set_time", token: "*", val: parseInt(date.getTime() / 1000)}
+                getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj))
+                setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000)
            }

            function scan() {
-                var obj = new Object();
-                obj.cmd = "scan_wifi";
+                var obj = {cmd: "scan_wifi", token: "*"}
                getAjax("/api/setup", apiCbWifi, "POST", JSON.stringify(obj));
                setTimeout(function() {getAjax('/api/setup/networks', listNetworks)}, 5000);
            }

            function syncTime() {
-                var obj = new Object();
-                obj.cmd = "sync_ntp";
-                getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj));
-                setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000);
+                var obj = {cmd: "sync_ntp", token: "*"}
+                getAjax("/api/setup", apiCbNtp, "POST", JSON.stringify(obj))
+                setTimeout(function() {getAjax('/api/index', apiCbNtp2)}, 2000)
            }

            function sendDiscoveryConfig() {
-                var obj = new Object();
-                obj.cmd = "discovery_cfg";
+                var obj = {cmd: "discovery_cfg", token: "*"}
                getAjax("/api/setup", apiCbMqtt, "POST", JSON.stringify(obj));
            }

@ -837,8 +832,9 @@

                function ivSave() {
                    var o = new Object();
-                    o.cmd  = "save_iv";
-                    o.id   = obj.id;
+                    o.cmd  = "save_iv"
+                    o.token = "*"
+                    o.id   = obj.id
                    o.ser  = parseInt(document.getElementsByName("ser")[0].value, 16);
                    o.name = document.getElementsByName("name")[0].value;
                    o.en   = document.getElementsByName("enable")[0].checked;
--- a/src/web/html/visualization.html
+++ b/src/web/html/visualization.html
@ -454,18 +454,20 @@
                    val = 100;

                var obj = new Object();
-                obj.id = id;
-                obj.cmd = cmd;
-                obj.val = Math.round(val*10);
-                getAjax("/api/ctrl", ctrlCb, "POST", JSON.stringify(obj));
+                obj.id = id
+                obj.token = "*"
+                obj.cmd = cmd
+                obj.val = Math.round(val*10)
+                getAjax("/api/ctrl", ctrlCb, "POST", JSON.stringify(obj))
            }

            function applyCtrl(id, cmd, val=0) {
                var obj = new Object();
-                obj.id  = id;
-                obj.cmd = cmd;
-                obj.val = val;
-                getAjax("/api/ctrl", ctrlCb2, "POST", JSON.stringify(obj));
+                obj.id  = id
+                obj.token = "*"
+                obj.cmd = cmd
+                obj.val = val
+                getAjax("/api/ctrl", ctrlCb2, "POST", JSON.stringify(obj))
            }

            function ctrlCb(obj) {